8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-30358

GHSA ID

GHSA-f3mf-hm6v-jfhh

EPSS Score

0.61607%

CWE

CWE-915

Published

3/27/2025

Updated

3/27/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-30358

CVE-2025-30358: Mesop Class Pollution vulnerability leads to DoS and Jailbreak attacks

From @jackfromeast and @superboy-zjc: We have identified a class pollution vulnerability in Mesop (<= 0.14.0) application that allows attackers to overwrite global variables and class attributes in certain Mesop modules during runtime. This vulnerability could directly lead to a denial of service (DoS) attack against the server. Additionally, it could also result in other severe consequences given the application's implementation, such as identity confusion, where an attacker could impersonate an assistant or system role within conversations. This impersonation could potentially enable jailbreak attacks when interacting with large language models (LLMs).

Just like the Javascript's prototype pollution, this vulnerability could leave a way for attackers to manipulate the intended data-flow or control-flow of the application at runtime and lead to severe consequnces like RCE when gadgets are available.

(GitHub Advisory)

8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-30358

GHSA ID

GHSA-f3mf-hm6v-jfhh

EPSS Score

0.61607%

CWE

CWE-915

Published

3/27/2025

Updated

3/27/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
mesop	pip	< 0.14.1	0.14.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unsafe processing of JSON input in dataclass update functions. The key vulnerable function is _recursive_update_dataclass_from_json_obj which lacked dunder property validation before the patch, as shown by the added check in the diff. This function is called by update_dataclass_from_json, which would appear in stack traces during exploitation. The test case confirms these functions are the attack vector by demonstrating pollution attempts through update_dataclass_from_json.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*rom @j**k*rom**st *n* @sup*r*oy-zj*: W* **v* i**nti*i** * *l*ss pollution vuln*r**ility in M*sop (<= [*.**.*](*ttps://*it*u*.*om/m*sop-**v/m*sop/r*l**s*s/t**/v*.**.*)) *ppli**tion t**t *llows *tt**k*rs to ov*rwrit* *lo**l v*ri**l*s *n* *l*ss *ttri*u

Reasoning

T** vuln*r**ility st*ms *rom uns*** pro**ssin* o* JSON input in **t**l*ss up**t* *un*tions. T** k*y vuln*r**l* *un*tion is _r**ursiv*_up**t*_**t**l*ss_*rom_json_o*j w*i** l**k** *un**r prop*rty v*li**tion ***or* t** p*t**, *s s*own *y t** ***** ****k

8.1

Basic Information

Concerned about an active attack path?

CVE-2025-30358: Mesop Class Pollution vulnerability leads to DoS and Jailbreak attacks

8.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI